A threat actor known as DEV-0569 is using Google Ads in widespread, ongoing advertising campaigns to distribute malware, steal victims' passwords, and ultimately breach networks for ransomware attacks. The ads pretend to be websites for popular software programs, like LightShot, Rufus, 7-Zip, FileZilla, LibreOffice, AnyDesk, Awesome Miner, TradingView, WinRAR, and VLC, but when the download links are clicked, the user commonly downloads an MSI file that installs various malware depending on the campaign. Malware that has been installed in these campaigns so far includes RedLine Stealer, Gozi/Ursnif, Vidar, and potentially, Cobalt Strike and ransomware. The threat actors behind BatLoader, DEV-0569, have been using Google ads to promote their malicious sites and ultimately leading to the deployment of Royal Ransomware on breached networks. They are believed to be an initial access broker that uses its malware distribution system to breach corporate networks and either use the access in their own attacks or sell it to other malicious actors.